From Russia, Without Love

Some are screaming in protest, while others stare fearfully at something beyond the edge of the computer screen. Sometimes their heads are sheathed in clear plastic bags, sometimes their mouths sealed with duct tape. And always, there is a weapon -- a gun, a knife, a penis -- and the sadistic laughter of the person wielding it.

The "rape fantasy" web portal promises to supply every horrific color of forced sex imaginable "unleashed upon innocent victims" -- and for as little as $39.95 a month. One sample video shows a man posing as a masked intruder who's attacking a woman in the shower. To a soundtrack of aggressive techno beats, he slams her head into the tile and rapes her over the toilet. Some of the videos conclude with the victim portrayed as bloody, beaten or dead.

This isn't playful porn. It's not just kinky or raunchy. It's the darkest dreck in the back alley, a serial-killer movie without human context or moral return, some of the most brutal and graphic "extreme pornography" content on the web today, and much of it comes from Russia, where laws are lax, to the United States, where demand is high.

On the opening page, the anonymous creator behind www.actiondev.com writes that every link in the Action Devil directory has been personally reviewed and tested by him so that a viewer is not redirected to a meaningless link farm or a frenzy of maddening porno pop-ups. "I decided to create this website to help you find real good quality web sites," the webmaster explains. "It will not infect your computer with any kind of annoying software, spyware, dialers."

This strangely heartfelt declaration might be more convincing if the Action Devil directory didn't promote itself by hijacking computer sites -- many of them belonging to University of Colorado at Denver students.

Kathy Kirchhoff never thought she'd wind up promoting the online skin industry. In 2001, she earned a community-college web-design certificate that she used to build a website for a local book-publishing house. With previous experience in both software development and computer research, the Littleton resident then enrolled at the University of Colorado at Denver, where she's working toward a degree in electrical engineering.

In several UCD classes, students are required to build personal websites on server space carved out from http://ouray.cudenver.edu, an address known simply as "Ouray," which is also the major host for student e-mail. After completing a basic home page with a link to her resumé and brief biographical information, Kirchhoff moved on to other projects and soon forgot about the site. She hadn't logged on to it for months when she was told about the odd links attached to her personal web space.

"This is not good," she said, as the Action Devil site popped up. "God, this is bizarre."

Viewers were being herded to her site through a link found on a variety of search engines that promised "free rape and forced sex videos." After a double click, the surfers momentarily landed on Kirchhoff's page before being rerouted to various sections of the rape-porn clearinghouse, which features explicit selections from membership-only websites with titles like Violent Incest, Exploited Bitches, Brutally Raped and Forced to Prostitute.

Even with her years of computer experience, Kirchhoff couldn't figure out how her obscure site had been hijacked.

Hers wasn't the only site being used and abused. At least seven other dormant websites belonging to former and current UCD students had become springboards to the rape-pornography underworld. By the end of July, the Internet links to the Ouray server had become so powerful that they pushed one student's site to the top ranking on a Google search for "rape porn" -- out of nearly a million relevant links.

And still, no one at UCD had a clue that their school's server had become the number-one extreme-porn gateway in the world.

William Freud doesn't answer questions so much as methodically deconstruct them and then build the pieces into a response. For listeners, the reassembly can seem laborious and complex. But then again, so is the job description of the Assistant Vice Chancellor of Information Systems. He attained this title in 2004, when the CU board of regents approved the consolidation of the University of Colorado at Denver with the University of Colorado Health Sciences Center to create the unwieldy acronym UCDHSC.

Though the two schools retained their respective facilities on the Auraria campus and at Fitzsimons, their financial and administrative operations were conjoined. Their technical systems had to be merged as well, and it was up to Freud to oversee the consolidation of the online entities, which now include a complicated overlay of servers supporting assorted networks dispersed around the two campuses. Freud knows the system well; he started working for CU in the late '80s, at the tail end of the mainframe era when the World Wide Web was still a glimmer on the horizon. Today, UCDHSC's IT department has 85 full-time employees, with another 32 part-time workers.

"Computers are complicated," Freud says. "Programming can be complicated. The cables, the wires, the networks can be complicated." And building the nuts and bolts of the system and ensuring access for students, faculty and other researchers is only "part one" of IT operations, he points out. Part two is defense. "It used to be our jobs to make the systems work," he laments. "Now it's become our job to keep it working while under constant attack."

Growing hordes of malware, viruses, worms, Trojan horses, spyware and adware crawl across the dark Internet landscape, while an endless bombardment of spam saps e-mail filters and sucks up valuable storage space. (The University of Colorado at Boulder estimates that 75 percent of the more than 1.5 million e-mail messages processed by its servers each day are spam.) All of this creates an unrelenting din of downloadable chatter forever bouncing against the system's firewall.

"The ones that we stopped at the door with security appliances, they're not even notable to us," Freud says. "There's so many known exploits that what you look at is the exception that got through. So managing those exceptions becomes the focus. It's the things that you didn't stop."

The true barbarians at the gate are malicious hackers -- known as "crackers" -- who troll the Internet for susceptible machines that they can mine for personal data or credit-card numbers they can use in identity-theft schemes. Using viruses or bots -- also known as "zombies" -- the crackers seek out poorly secured computers and infect them with software that turns systems into electronic Manchurian Candidates. A zombie can be surreptitiously activated and used by a spammer to bypass Internet Protocol address blacklists and send out millions of messages, supporting a scheme while remaining almost untraceable.

To prevent such nefarious programs from breaching the UCDHSC system's perimeter, security shields must be updated regularly. "There was a time when a thousand attacks a day sounded like a lot," Freud says. "Now, in the hundreds of thousands is pretty routine."

And then there's the porn.

UCDHSC isn't the only educational institution whose computer network was conscripted to peddle X-rated links. While a Denver student's Ouray site held the top rape-porn slot, the all-knowing mind of Google revealed that South University in Georgia was housing a link to "Britney Spears porn." The University of Dayton's website was linked to a company promoting "gay leather rape." Even a portion of Stanford University online was electronically hijacked so that it would point toward "lolita forced sex preteens rape."

These hijackings weren't pranks or some kind of perverse political statement. The squatters had taken over underused or abandoned areas of college systems for a single purpose: to redirect outside traffic toward directories that served the same catalogue of violent adult websites.

Many of the compromised university systems were also used as platforms to advertise generic pharmaceuticals and online casino sites. Crystal Murdoch's personal UCD web page was co-opted to push pills. The electrical-engineering major had posted the last diary entries on her pink-hued "princess blog" back in January. By July, someone had added the special tag "ph1.htm" to her Ouray address, which now redirected surfers to an online pharmacy that specialized in the diet pill Phentermine. But Murdoch got off relatively easy: Other students became unwitting middlemen in the exchange of generic forms of Xanax, Cialis and Viagra.

One reason university computer networks present such attractive targets is that institutions of higher learning have to maintain a careful balance between openness and security. "Often what is required in the classroom experience is the ability to collaborate among peers," Freud explains. "So opportunities are created for sharing of disk space or computing space, and so the idea of going to lockdown just isn't an option if you want to maintain that dynamic." In other words, scholarly research necessitates the free flow of information and ideas, with students and faculty alike expecting unencumbered Internet access and file-sharing abilities.

Adding to the allure of university sites is the fact that they're frequently organized under decentralized, semi-autonomous divisions, making it difficult for schools' IT teams to enforce a blanket data-security policy. In contrast, large corporations and financial institutions have networks just as sprawling as those of large universities, but they exercise greater control over who -- and what -- can enter.

So if you can't build a wall around the village, how do you protect it?

"Good fences," says Trent Hein, CEO of Applied Trust Engineering, a Boulder-based IT consultancy. The firm's clients range from municipalities to corporations, and it also consults with UCDHSC on infrastructure and defense issues.

Ned McClain, who founded the firm with Hein in 2001, recognizes that the issue of openness forced universities to find creative solutions to information security. "Every other organization was saying, 'Well, we trust everybody inside the network, it's just these bad guys out there we have to worry about,'" says McClain. "Universities have students, and not every student was going to be good all of the time. The students could directly put porno on their websites if they wanted to. So the role is more like that of an Internet Service Provider in that there's this trust you had to extend to the end-user."

In fact, it was trouble at a university that led to the birth of the information-security industry. In 1988, Robert Morris, a 23-year-old graduate student at Cornell University, unleashed the first computer worm. Hein recalls the day well: He was working for CU Boulder's UNIX operations group, which was responsible for the school's Internet connectivity at the time. "Everyone really considered being on the Internet such a privilege," Hein recalls. "It was such a usable utility that, while theoretically we knew that there were security weaknesses and holes, nobody would ever exploit them."

Morris, a computer-science major, later claimed that he'd written the experimental program simply to gauge the size of the Internet. But when he introduced it into the fledgling network through a computer at MIT, the self-replicating software quickly infected and overwhelmed machines across the country. Like most university systems, CU was offline for three days.

"The philosophy prior to that day was that this is all an open-utility network and we can all use it to better do research," Hein says. "And then that all started to change."

While the commercial sector quickly began investing in technology that could seal its digital borders, educational institutions pursued a layered strategy that limits access in some areas but allows for freer traffic in others. Freud calls it "defense in depth." Important administrative data like student personal information or sensitive research is housed under the tightest restrictions, while sections less vital to college operations, such as student web pages, aren't as locked down. But given the dynamics of ever-changing technology and a highly transient student population, it's much easier to create a security layout than to maintain it.

"So one of the key layers is training. Training people to use these accounts, good computing practices," says Freud. "Don't share your password with people. If you're granted control over your own computing space, don't open it up too broadly."

If you do, you might be inviting rape-porn hijackers.

UCD's Ouray website shows up alongside thousands of others on a list compiled by Cornell computer systems researcher Emin Gun Sirer. A name server is the device that networks use to translate individual Internet Protocol numbers into a human-friendly identifier; it's what changes 64.255.172.50 into www.fun.com. "Our study found that some of the name servers involved in this lookup contain known vulnerabilities," he says. Using tools readily available over the Internet, "an attacker can use these vulnerabilities to break into a name server and take over a set of pages that it serves."

Internet log files collected by the web-traffic analysis company AWStats show a dramatic rise in traffic to Ouray earlier this year. In May, records indicate, the site had 7,076 key-phrase searches for things like "Iraq War," "parabola formula" and "dragon ball." By July, the site's traffic had exploded to 35,197 searches in the realm of "Viagra," "real rape" and "anal rape."

UCD finally learned of the hijacking in early July, when a student discovered that his Ouray site had gone wild. Really wild.

"It appears that the security permissions had been loosened up and either a robot or a person had taken advantage and was able to redirect a few web pages," Freud says. "In the scheme of things, this was relatively small in scope."

The school proceeded to "scrub" the servers of the rape-porn links. "A lot of hours did go into trying to clean that problem up," says Danielle Zieg, director of media relations.

Although Freud acknowledges that the school has since tightened permissions on Ouray and built other security measures that made file access more restrictive, he declines to go into specifics on the attack and how the IT team fought back. "I don't think it helps the security position of the university to make very in-depth statements about how we secure the computing environment," Freud says.

"When I started programming, I never expected to find myself a security officer," he continues. Today, he estimates, 60 percent of his department's resources goes to security. "I was a computing guy. I liked writing programs that worked. I like helping people make things work. And this new angle of being under constant attack is stressful. But it's just something you grow into by necessity. It's part of computing today."

Neither Zieg nor Freud will say whether the incident was reported to law enforcement. It's not the role of the IT team to hunt down bad guys, Freud says; instead, his department focuses on remediation and prevention, a better use of scarce resources. After all, a miscreant's trail might lead to a host in China, which traces the attack to a mainframe in London, which is linked to a server in Argentina. "And it would take the cooperation of each of those people at each of those points along the way to say, 'Yes, I am going to commit my resources and open my log book up to you, and involve my local police, to track down someone that could still be ten hops further back," Freud points out.

Three weeks after Freud and his team cleared the links from the Ouray server, a rape-porn link turned up on the Colorado School of Mines website. This time, though, it wasn't attached to a deserted student web page, but the site for the school's continuing education department. The link has since been removed. (The school's IT department did not return Westword's calls.)

The site that Mines was linked to, www.best-sites-only.info/rape (Forced Fuckers, Violent Comix, Forced Witness, etc.), was also found to have injected links to the Indiana University School of Music and the University of Texas at Arlington. According to a domain-name ownership search, that rape-porn portico is registered to a man who lists his name as Baranov Vladimir of Moscow.

UCD's rape-porn link has a Russian connection, too.

"It is not spamming," says the individual who signs his name as Vitaly and whose e-mail address carries an "ru" name-server tag, indicating that the account is hosted in Russia. "It is called Search Engine Optimization. People tend to call it spamming, but it is not. We do a lot of research on SEO and then apply our newfound knowledge to our web pages. We generate traffic, traffic generates our income."

Vitaly's e-mail address is listed as the contact for dozens of websites that have been connected to hijacked university links. The names of the registrants vary (Roman Ovsiannikov, Alex Beliy, Inna Nikonenko), but the address listed is always the same apartment at 1061 Elizabeth Street in Denver.

But "we are not in Denver," Vitaly claims. "Our job allows us to be anywhere in the world as long as we have computer and Internet access."

According to Stephen Yagielowicz, senior editor of Xbiz, an adult-industry trade publication, organized crime in Russia is responsible for much of the rape-porn production. "The Russian mafia is involved in a lot of that material where it's beyond regulation of U.S. lawmakers," he says. "But still, the U.S. is the largest market for everything, so it always finds its way here."

Ron Russ, a legal consultant who specializes in Internet pornography, says it's clear why the violent-pornography trade is centered in the former Soviet republics. "They don't have any real laws over there," he explains. "I see a lot out of Bulgaria, Ukraine, Russia, with very little to no law on it. I've worked with the Netherlands, Interpol and the FBI, and there's nothing we can do about it."

Vitaly insists that his company is not producing the porn. Its function is to be the online intermediary between the customers and the websites selling the content, he says.

Brandon Shalton, CEO of T3Report.com, a company that maps affiliate relationships in the online adult-entertainment industry, explains it like this: Websites that sell a specific product (pornography, pharmaceuticals, online gaming) will work with "affiliates" charged with increasing traffic to those sites. When an affiliate steers a customer to a website, the affiliate is paid a certain amount for whatever the customer buys (a membership to the porn site, for example). The more customers to the site, the more the website sells and the more the affiliate gets paid.

Cruel Money is one of the companies recruiting affiliates for some of the rape-porn sites that have been linked to Ouray and other university sites. Website owners who direct traffic to sites like Banned Family Porn, Sexual Violence and Brutally Raped are rewarded by Cruel Money; according to its website, payment is sent via wire transfers twice a month.

"It all ties back to search-engine ranking," Shalton says. "They're just trying to do whatever they can to get eyeballs to their page."

Often the most effective, and publicly reviled, technique for doing this is by launching spam. But spammer gangs are finding it difficult to get reliable hosting as more and more ISPs blacklist spamming operations. "Spammed pages get shut down faster and faster," says Vincent Hanna of the Spamhaus Project, an international anti-spam group, and so spammers have turned to hijacking machines and turning them into spam-sending zombies. "While a lot of spam gangs already resorted to using compromised machines for sending out the mail, they now also use compromised machines to host websites that are advertised in spam." Not only do the spammers get free hosting, but they are able to avoid detection by adding layer upon layer of websites.

Vitaly insists that what may look like a hijacking could actually be a domain name that's been purchased fair and square. His company starts by finding an old web page that has been discontinued by its creator, though much of the content and links are still present. Vitaly then snatches up the site at a cheap price and uses it to host links for whatever websites he's in partnership with.

"The job itself has no secrets," says Vitaly. "All the information is completely open. There is nothing illegal in being webmaster, exchanging links or posting a comment."

But there is something illegal about sneaking onto university systems and redirecting pages to violent porn sites for profit.

"Really, it's trespassing," explains Dave Carlson, who owns Littleton-based Green Chair Marketing Group. "They're not authorized as a student or faculty to have access. But even if they were, they would get in trouble. Obviously, the school wouldn't want to be associated with those types of sites."

In the "black hat" segment of Internet marketing, though, lists of compromised machines are a commodity that can be bought and bartered for like pork-belly futures. University and government sites have particular value because of their high-speed Internet connections and more porous security layouts. "The .edu or .gov extensions have a lot of authority with search engines," Carlson notes. "What Google is seeing is the University of Colorado at Denver, and the search engines don't stick around a long time in a page. After about two or three seconds, the site redirects, and the search engine never sees that the porn sites are being hosted somewhere else.

That's what Denise Grollmus, a writer at the Cleveland Scene, learned when she discovered a page devoted to "Ronnie Shelton Ohio Rape Photos." Shelton has a particularly heinous distinction in the Midwest, where he raped 28 women in their homes between 1983 and 1988. Though the site doesn't provide actual photos of the attacks, it pushes surfers toward other web pages offering porn based on real stories. The initial links that pulled surfers into the rape-porn rabbit hole, however, were sites devoted to folk art, dogs or home improvement that the original owners had discontinued -- with no idea that their creations would later be used to advertise violent sex.

Grollmus traced the site to owners Alex Beliy and Roman Ovsiannikov, who reportedly lived in Denver.

At 1061 Elizabeth Street, to be exact. And Eva Boitschev, the building's manager, confirms that Ovsiannikov and Beliy lived in apartment 106. "It was back in 2001, for about seven months," she says, adding that she had to evict them for housing too many people in the small apartment.

Boitschev says she hasn't heard from either of them since. But Ovsiannikov stuck around Colorado long enough to get a speeding ticket, on which his birth year is listed as 1981. And another person at the building says that while Ovsiannikov was deported, last he heard the young man was back in Colorado, with a new name.

And apparently new business opportunities.

Vitaly, who's denied being either Ovsiannikov or Beliy, has stopped responding to Westword's inquiries. But the university hijackings continue, with both the University of Indiana and Watkins College of Art and Design in Nashville falling prey this fall. The latest portal to pop up when you Google "rape porn" is a biotechnology class website hosted by the University of California at San Diego.

From biotech, it's a quick trip to violent sex photos that show a young female pinned to the carpet with a knife at her throat, her mouth and wrists bound in tape. She is crying. The text promises gang rape, torture and blood. Memberships to this rape-porn site start at $39.95. A pop-up pushes another rape-porn site, Fantasy Promotions. And a bulletin announces the launch of Forcedteenagers.com: "Yes, another teen site you might think, but all our stats point towards a still very untapped market, when it comes to mixing beautiful innocent teens and forced sex. We have gotten as good ratios from Forced Teenagers as we have done from our other block buster site Forced Teen Movies, so expect another solid cash cow from Forced Teenagers."

And as for the teenagers attending UCSD, whose site has been hijacked by this trash? "No comment," says Pat JaCoby of the school's communications department, who hadn't heard about the rape-porn link until he was contacted by Westword. "Inappropriate use of Internet technology is everywhere. So when we see inappropriate use, we remove it as soon as possible. Creative hackers can produce this kind of material and affiliate it with different websites. They're being proactive, and we can only be reactive."